[WBEL-users] /etc/shadow and Samba
Shawn M. Jones
smj@littleprojects.org
Wed, 23 Jun 2004 11:29:01 -0400 (EDT)
On Wed, 23 Jun 2004, Mario Gamito wrote:
> I'm running Samba (3.0.4 compiled by me) in WBL.
> I have this script in smb.conf that allows Windows users to change their
> domain password from their Windows machines.
>
> Well, the problem is that /etc/shadow has permissions -r-------- and
> obviously this way there's no password change for anyone.
> I tried giving 777 permission to /etc/shadow and it worked, but
> obviously that's not what i want :P
>
> Is there a way to turn this around without messing with /etc/shadow
> permissions ?
You could make your script owned by root and suid, allowing it to change
permissions of /etc/shadow while it's running and updating /etc/shadow
with new data. I'd suggest having it change it back to 0400 when it's
done.
Some security experts think suid is a bad way of doing things,
primarily because the script is running AS ROOT, and anything that can
make it crash can give the person running it root privs, but it might be
the best option you have.
The unix passwd command has suid permissions, and that's how it
accomplishes said goal:
-r-s--x--x 1 root root 16248 Dec 12 2003 /usr/bin/passwd
Hope this helps,
Shawn M. Jones